You need to open the Camera app on your iPhone or iPad and point the device at a QR code. If the code contains any URL, it will give you a notification with the link address, asking you to tap to visit it in Safari browser.However, be careful — you may not be visiting the URL displayed to you, security researcher Roman Mueller discovered.

According to Mueller, the URL parser of built-in QR code reader for iOS camera app fails to detect the hostname in the URL, which allows attackers to manipulate the displayed URL in the notification, tricking users to visit malicious websites instead.

For the demo, the researcher created a QR code (shown above) with the following URL:

https://xxx\@facebook.com:443@infosec.rm-it.de/

If you scan it with the iOS camera app, it will show following notification:

Open “facebook.com” in Safari

When you tap it to open the site, it will instead open:

https://infosec.rm-it.de/

I have tested the vulnerability, as shown in the screenshot above, on my iPhone X running iOS 11.2.6 and it worked.

QR (Quick Response) code is a quick and convenient way to share information, but the issue becomes particularly more dangerous when users rely on QR codes for making quick payments or opening banking websites, where they might end up giving their login credentials away to phishing websites.The researcher had already reported this flaw to Apple in December last year, but Apple hasn’t yet fixed the bug to the date.